The parameterized query code does not block DDL statements from referencing parameter markers.
It appears we have some protection that fails us when the view is invoked:
Right now I think affected are:
- DEFAULT definition
- VIEW definition
but any other future standard expression popping up is at risk, such as SQL Functions, or GENERATED COLUMN.
CREATE TABLE AS is debatable, since it it executes the query at definition only.
For simplicity I propose to block the feature from ANY DDL statement (CREATE, ALTER).